[hannob]

Isn't this more an example of "fail-open design is bad, use fail-close"? Or in other words "make an allowlist, not a blocklist"?

I mean look at those variables, this seems like a loosing battle. PERLLIB, PERL5LIB etc. - what if there's a PERL6LIB at some point or a NEWSCRIPTINGLANGUAGELIB variable?

[awirth]

Yes. This is why running without `env_reset` is considered inherently insecure and the typo fix wasn't considered a security fix by the sudo maintainers.

The list is still relevant to this discussion though as a nice "greatest hits" cheat-sheet of fun environment variables to play with here.

[lizmat]

Actually, there is such a thing as PERL6LIB: it's an environment variable still recognized by Raku (formerly known as Perl 6). As you may know, Perl 6 has been renamed to Raku (https://raku.org using the #rakulang tag on social media). FWIW, there is now also a RAKULIB environment variable :-)

[cookiengineer]

Well, touche.

I think that the fail-close design (I know them as positive-style branching) should be embraced everywhere possible.

But can this be actually achieved without breaking the ecosystem in the sense of having to start all over again?